14 Dec
2007
14 Dec
'07
1:18 p.m.
Neill Wilkinson writes:
btw: IMO this is a bug in SIP. The RFC tells us that the SIP proxy should
store the Contact URI and route calls based in this URI. But AFAIK the RFC
does not tell us to validate the Contact URI.
Never trust user provided data blindly. The Contact is user provided :-(
regards
klaus
Surely just authenticate all register requests
with www-challenge. Hide
your
gateway and SER behind a firewall so your Gateway
cannot be seen from
the
outside work (from a SIP Signalling perspective),
and for PSTN calls
from
authenticated users do a rewritehost and forward
to send the INVITEs on
to
the PSTN gateway?
Neill....;o)
perhaps you didn't understand the problem. authenticating register
requests is not enough. you also need to check what user puts in
contact(s), since you cannot hide your gws from your proxies.